644166b8a2731b21dc26aaf580997fdcbecd7946e6e550f73a114f4f53eac6b8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
Size

90KB
MD5

752512bd8420ade861113fafa0946ab0
SHA1

f728cf03128e088aeff886246f8d2146e873b176
SHA256

644166b8a2731b21dc26aaf580997fdcbecd7946e6e550f73a114f4f53eac6b8
SHA512

10a1d043ef0cad1463153976f7839c85c3b3db6636ce69c818cdf9b269cc838e490ed7d481dcc5a0a30a869ce678ec6f250de2ca5f1b3958afab55d68e0c9569
SSDEEP

768:Qvw9816vhKQLro14/wQRNrfrunMxVFA3b7glws:YEGh0o1l2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{27DD892C-E3F8-409a-B899-EE53778FF932}.exe{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe{169E2C06-2D4A-48b9-A849-B93F11863612}.exe{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe{6D233906-6309-47cd-8B49-835A4C4C8392}.exe752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}\stubpath = "C:\\Windows\\{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe"	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{169E2C06-2D4A-48b9-A849-B93F11863612}	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C18DAD18-BE39-4af3-A979-635CC014D24A}\stubpath = "C:\\Windows\\{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe"	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3851B80-A310-4180-9C04-D55B5EAC35E8}\stubpath = "C:\\Windows\\{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe"	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE01952-640D-414e-961A-8BB0280DCF8B}	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27DD892C-E3F8-409a-B899-EE53778FF932}\stubpath = "C:\\Windows\\{27DD892C-E3F8-409a-B899-EE53778FF932}.exe"	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{169E2C06-2D4A-48b9-A849-B93F11863612}\stubpath = "C:\\Windows\\{169E2C06-2D4A-48b9-A849-B93F11863612}.exe"	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2784774-8649-412f-B8AC-C40B4CD6D6DB}\stubpath = "C:\\Windows\\{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe"	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DD5100F-68CB-43b4-89A3-415CE988A6C9}\stubpath = "C:\\Windows\\{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe"	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D233906-6309-47cd-8B49-835A4C4C8392}\stubpath = "C:\\Windows\\{6D233906-6309-47cd-8B49-835A4C4C8392}.exe"	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE01952-640D-414e-961A-8BB0280DCF8B}\stubpath = "C:\\Windows\\{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe"	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27DD892C-E3F8-409a-B899-EE53778FF932}	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DD5100F-68CB-43b4-89A3-415CE988A6C9}	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}\stubpath = "C:\\Windows\\{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe"	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6D109F2-83A9-480d-B3A7-57657C969EC2}\stubpath = "C:\\Windows\\{E6D109F2-83A9-480d-B3A7-57657C969EC2}.exe"	{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2784774-8649-412f-B8AC-C40B4CD6D6DB}	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3851B80-A310-4180-9C04-D55B5EAC35E8}	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D233906-6309-47cd-8B49-835A4C4C8392}	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}\stubpath = "C:\\Windows\\{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe"	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6D109F2-83A9-480d-B3A7-57657C969EC2}	{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C18DAD18-BE39-4af3-A979-635CC014D24A}	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe

Executes dropped EXE 12 IoCs

Processes:

{27DD892C-E3F8-409a-B899-EE53778FF932}.exe{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe{169E2C06-2D4A-48b9-A849-B93F11863612}.exe{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe{6D233906-6309-47cd-8B49-835A4C4C8392}.exe{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe{E6D109F2-83A9-480d-B3A7-57657C969EC2}.exe

pid	process
4468	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
3500	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
5088	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe
4952	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
408	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
3132	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe
2196	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
2292	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
4244	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
3740	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
2468	{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe
4544	{E6D109F2-83A9-480d-B3A7-57657C969EC2}.exe

Drops file in Windows directory 12 IoCs

Processes:

{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe{169E2C06-2D4A-48b9-A849-B93F11863612}.exe{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe{6D233906-6309-47cd-8B49-835A4C4C8392}.exe{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe{27DD892C-E3F8-409a-B899-EE53778FF932}.exe{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe

description	ioc	process
File created	C:\Windows\{169E2C06-2D4A-48b9-A849-B93F11863612}.exe	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
File created	C:\Windows\{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe
File created	C:\Windows\{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
File created	C:\Windows\{6D233906-6309-47cd-8B49-835A4C4C8392}.exe	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
File created	C:\Windows\{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
File created	C:\Windows\{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
File created	C:\Windows\{27DD892C-E3F8-409a-B899-EE53778FF932}.exe	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
File created	C:\Windows\{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
File created	C:\Windows\{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
File created	C:\Windows\{E6D109F2-83A9-480d-B3A7-57657C969EC2}.exe	{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe
File created	C:\Windows\{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
File created	C:\Windows\{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe{27DD892C-E3F8-409a-B899-EE53778FF932}.exe{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe{169E2C06-2D4A-48b9-A849-B93F11863612}.exe{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe{6D233906-6309-47cd-8B49-835A4C4C8392}.exe{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1116	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4468	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
Token: SeIncBasePriorityPrivilege	3500	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
Token: SeIncBasePriorityPrivilege	5088	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe
Token: SeIncBasePriorityPrivilege	4952	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
Token: SeIncBasePriorityPrivilege	408	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
Token: SeIncBasePriorityPrivilege	3132	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe
Token: SeIncBasePriorityPrivilege	2196	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
Token: SeIncBasePriorityPrivilege	2292	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
Token: SeIncBasePriorityPrivilege	4244	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
Token: SeIncBasePriorityPrivilege	3740	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
Token: SeIncBasePriorityPrivilege	2468	{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1116 wrote to memory of 4468	1116	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
PID 1116 wrote to memory of 4468	1116	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
PID 1116 wrote to memory of 4468	1116	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
PID 1116 wrote to memory of 2336	1116	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	cmd.exe
PID 1116 wrote to memory of 2336	1116	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	cmd.exe
PID 1116 wrote to memory of 2336	1116	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	cmd.exe
PID 4468 wrote to memory of 3500	4468	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
PID 4468 wrote to memory of 3500	4468	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
PID 4468 wrote to memory of 3500	4468	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
PID 4468 wrote to memory of 4244	4468	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe	cmd.exe
PID 4468 wrote to memory of 4244	4468	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe	cmd.exe
PID 4468 wrote to memory of 4244	4468	{27DD892C-E3F8-409a-B899-EE53778FF932}.exe	cmd.exe
PID 3500 wrote to memory of 5088	3500	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe
PID 3500 wrote to memory of 5088	3500	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe
PID 3500 wrote to memory of 5088	3500	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe
PID 3500 wrote to memory of 448	3500	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe	cmd.exe
PID 3500 wrote to memory of 448	3500	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe	cmd.exe
PID 3500 wrote to memory of 448	3500	{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe	cmd.exe
PID 5088 wrote to memory of 4952	5088	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
PID 5088 wrote to memory of 4952	5088	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
PID 5088 wrote to memory of 4952	5088	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
PID 5088 wrote to memory of 3020	5088	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe	cmd.exe
PID 5088 wrote to memory of 3020	5088	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe	cmd.exe
PID 5088 wrote to memory of 3020	5088	{169E2C06-2D4A-48b9-A849-B93F11863612}.exe	cmd.exe
PID 4952 wrote to memory of 408	4952	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
PID 4952 wrote to memory of 408	4952	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
PID 4952 wrote to memory of 408	4952	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
PID 4952 wrote to memory of 336	4952	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe	cmd.exe
PID 4952 wrote to memory of 336	4952	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe	cmd.exe
PID 4952 wrote to memory of 336	4952	{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe	cmd.exe
PID 408 wrote to memory of 3132	408	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe
PID 408 wrote to memory of 3132	408	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe
PID 408 wrote to memory of 3132	408	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe
PID 408 wrote to memory of 4688	408	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe	cmd.exe
PID 408 wrote to memory of 4688	408	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe	cmd.exe
PID 408 wrote to memory of 4688	408	{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe	cmd.exe
PID 3132 wrote to memory of 2196	3132	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
PID 3132 wrote to memory of 2196	3132	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
PID 3132 wrote to memory of 2196	3132	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
PID 3132 wrote to memory of 2920	3132	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe	cmd.exe
PID 3132 wrote to memory of 2920	3132	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe	cmd.exe
PID 3132 wrote to memory of 2920	3132	{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe	cmd.exe
PID 2196 wrote to memory of 2292	2196	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
PID 2196 wrote to memory of 2292	2196	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
PID 2196 wrote to memory of 2292	2196	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
PID 2196 wrote to memory of 3464	2196	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe	cmd.exe
PID 2196 wrote to memory of 3464	2196	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe	cmd.exe
PID 2196 wrote to memory of 3464	2196	{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe	cmd.exe
PID 2292 wrote to memory of 4244	2292	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
PID 2292 wrote to memory of 4244	2292	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
PID 2292 wrote to memory of 4244	2292	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
PID 2292 wrote to memory of 664	2292	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe	cmd.exe
PID 2292 wrote to memory of 664	2292	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe	cmd.exe
PID 2292 wrote to memory of 664	2292	{6D233906-6309-47cd-8B49-835A4C4C8392}.exe	cmd.exe
PID 4244 wrote to memory of 3740	4244	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
PID 4244 wrote to memory of 3740	4244	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
PID 4244 wrote to memory of 3740	4244	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
PID 4244 wrote to memory of 4080	4244	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe	cmd.exe
PID 4244 wrote to memory of 4080	4244	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe	cmd.exe
PID 4244 wrote to memory of 4080	4244	{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe	cmd.exe
PID 3740 wrote to memory of 2468	3740	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe	{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe
PID 3740 wrote to memory of 2468	3740	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe	{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe
PID 3740 wrote to memory of 2468	3740	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe	{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe
PID 3740 wrote to memory of 2252	3740	{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
C:\Windows\{27DD892C-E3F8-409a-B899-EE53778FF932}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
C:\Windows\{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\{169E2C06-2D4A-48b9-A849-B93F11863612}.exe
C:\Windows\{169E2C06-2D4A-48b9-A849-B93F11863612}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
C:\Windows\{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
C:\Windows\{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe
C:\Windows\{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
C:\Windows\{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
C:\Windows\{6D233906-6309-47cd-8B49-835A4C4C8392}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
C:\Windows\{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
C:\Windows\{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe
C:\Windows\{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\{E6D109F2-83A9-480d-B3A7-57657C969EC2}.exe
C:\Windows\{E6D109F2-83A9-480d-B3A7-57657C969EC2}.exe
13⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BB147~1.EXE > nul
13⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A3EBC~1.EXE > nul
12⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE01~1.EXE > nul
11⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6D233~1.EXE > nul
10⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B3851~1.EXE > nul
9⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9DD51~1.EXE > nul
8⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E2784~1.EXE > nul
7⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C18DA~1.EXE > nul
6⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{169E2~1.EXE > nul
5⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BF721~1.EXE > nul
4⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{27DD8~1.EXE > nul
3⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\752512~1.EXE > nul
2⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{169E2C06-2D4A-48b9-A849-B93F11863612}.exe

Filesize
90KB

MD5
8d6808d6fa4fc42ce9b42af9f6c3f43a

SHA1
9ded750da738e0db6b46f9756965de72742e5aec

SHA256
a3e3b6ea21e0e80cbd6f5114f6a19acca896e1b2f7ba3b94ffa565cec92f86dd

SHA512
b499ce788e80e620f5c6f8b2578990d8852bcea6d18288fad407c1c43e79973103933aa63b7c21fab7086e98268757ff9d747e6b8c3aed8641cf2a687a2c3fd5

Download Submit
C:\Windows\{27DD892C-E3F8-409a-B899-EE53778FF932}.exe

Filesize
90KB

MD5
27a36892fc5a10262f5e03a718991057

SHA1
1ead97a681c0fd61329f0bb1ed57346d41fcd324

SHA256
5eb8346dee50fbc097132059f4ff32cf0efe8dd8a458719d9589d0ad12f18fc8

SHA512
577c451c295190bc90ef2b133aeadb4ed8338594b169089b91dc42349ce0f229a0d7ca35edc4e5be2ebabd859971397380e23b16c9e6d83184985a0d2fc3e25a

Download Submit
C:\Windows\{6D233906-6309-47cd-8B49-835A4C4C8392}.exe

Filesize
90KB

MD5
f7bdbdcd5f5277ea26dc5a0b099f5f5b

SHA1
35e5e5c593f28bbc71e7c9dbc078c23e19bbf69d

SHA256
d848ac1d4a943351b18870ac0ff1211d3c02838ecb0fdf006dca6cd191c28153

SHA512
648bf2385ae47aa8c4ce51232bdb0ce4c9601ffb4a391d17d8c2a76c59318a9a85a050b6304d6392038b538c603b24248d7bb07f90a67eda381e7850e62fa421

Download Submit
C:\Windows\{9DD5100F-68CB-43b4-89A3-415CE988A6C9}.exe

Filesize
90KB

MD5
3f03b71cd06202e53d1b8faa2ff4ffeb

SHA1
5299aaced3c3baf23ac4bf9c91e4f8d013bbb77a

SHA256
5e95be323b2b8cc16de35a90158a48af8c27eaab48e02fb41679b796fedd6bf2

SHA512
1dec3c64c1ad4263924e08b3900b9b56b6ba524333907dbcccedcd554f731727ac08f23e08658ea49f0578e805db8be3107a560ca9aedb8a9a7678d943a49a1e

Download Submit
C:\Windows\{A3EBCB16-D91B-4ff5-A8B0-9665B2BB889D}.exe

Filesize
90KB

MD5
92e23159d4701e394f5fd53dc18f5ea3

SHA1
d496824fc91e3656086412af9ef8e6c52231bfc4

SHA256
ca5ca5a0285abc7d969b973fafd20daf801410a6a45d332246afbef19b9b8924

SHA512
a78241fb9bc9ba6f1c349f0c9abd688f0a96aa48060b519a51d4f6f81f6776e3ec1eb5816c214988d22d60af8671ea064235c38aaef7d30fd653672993dbb143

Download Submit
C:\Windows\{B3851B80-A310-4180-9C04-D55B5EAC35E8}.exe

Filesize
90KB

MD5
e77d09084445ecccdd9e9cf6452f3360

SHA1
bcd210fd431f9297393d8da49589647e0b617930

SHA256
491b609df526f83db917f4423261695094e48e34d9349f84add80bf4556b7047

SHA512
4f4b3c2f7e917aacd82240a6b4f0c9956fd924a9d2a856c83e2baa9444664156633348d93b0e9006dc0d971642e1aa017e9c30a84c095d013a07cf9856e1ffea

Download Submit
C:\Windows\{BB147702-5029-49b9-B7C4-4BCF1ABBA4FC}.exe

Filesize
90KB

MD5
fb8383b604eada3bde398597b86f076c

SHA1
32e6c42403be31ed1d8fec9835734c4ec4f07473

SHA256
163c82090d558a35b92b316fdeac9000c923adfcd6a63e2cd178e1525eba3b12

SHA512
4d992131ab2eb3b5cf70defbafff882876ac303fdd641541e93bd893b2ceeeab4f7cc6b9a3f684ab748267862eb890b3146d3fa70f6a640208e772c4dc645b17

Download Submit
C:\Windows\{BDE01952-640D-414e-961A-8BB0280DCF8B}.exe

Filesize
90KB

MD5
c8ecc1d0ec041111aeda351a59c35ee7

SHA1
f0cc84c5209d573940997e5156fa5434f7b704c2

SHA256
908e9b9e044dcba091346d8a9cca0b74bd8b580bba3e99b28b1c746e45f1f58b

SHA512
3d1894ecac471fa7c4214fd110aa1f77159308dd3739e7b85f7b408741612390b490cf2909215860200a9d61af86b1d7b8301fc019158abf7e73e641ae57ae91

Download Submit
C:\Windows\{BF721E0E-2E03-490a-8C9C-6B5D5BB23A0C}.exe

Filesize
90KB

MD5
30fc81564d69b937ccd934338903d593

SHA1
c78d3fa070a28164272bad5a3d58ce201e2dfb3d

SHA256
f9346ff727850e63ac6ffb32ef0c6a4466e9662f8150fa4d948d0c324e7da2bf

SHA512
9c2299d01ed40d41aeb6ca8bf082b7e3372f8da88382aa0a9e69c0bd06ee213806db262f29f8de5c16eb653c5cd307b25467eb82e815e479d1e2aad6bfd0af5c

Download Submit
C:\Windows\{C18DAD18-BE39-4af3-A979-635CC014D24A}.exe

Filesize
90KB

MD5
e4f9148c873b1b501fa498f908a5a1ae

SHA1
eb7d3645ab1dd4ee851f47b1c149c61b158b9d42

SHA256
bc10d8a51e50c38874c5def3806972bf1e5c843e7eaa317abf83ad5de09e8567

SHA512
6b333f4097eba77a03801f4151296bfb97314ad2e9a66f142f280ae42326c6a4c318f8bf592e6335b9e8d904a34503f2072e0c95475fbf6db26e0f09d40fed21

Download Submit
C:\Windows\{E2784774-8649-412f-B8AC-C40B4CD6D6DB}.exe

Filesize
90KB

MD5
0d54e7835a08e4b335a16b144b597e00

SHA1
ae6c04b3e3fc0f92b1f65373bc318ecec04b44b0

SHA256
39818d743432cb63d40f3b5cb131f29840b654b236564c00f515be78ec9703b4

SHA512
a7bbfee8016a2ea97b32804019db07e777ad1d174cafeffa5e50d5ae6dcfe19273e104ea630d93eebf2606e2bb776fe8e4f1e5d778c5f46bb7e442b0fb100d66

Download Submit
C:\Windows\{E6D109F2-83A9-480d-B3A7-57657C969EC2}.exe

Filesize
90KB

MD5
ef644752f478542c9edffe5448c7d7bc

SHA1
7aa1acec546f0bd9d2835b407aebc7e302bd37be

SHA256
f581602ab152ec3111de4f5ae3b4ddb81369098994b6d007df8eb4f0781f48d7

SHA512
977462e04d0ffdaed222b6c3820c045632b42daccbff4325907a7c70fa34f273e8a71c11452abf4929743b8501d4b06905047ec0d1e71a41a7bd6edbb3a68d26

Download Submit